S
SAA (Service Assurance Agent), Cisco, 334 “335
SAs (security associations)
message integrity, 144
removing unnecessary, 125 “126
VPNs and, 140 “141
scope section, of security policy, 26
scripts
changing system configuration, 467 “468
changing system image, 453, 457
Secure Hash Algorithm 1 (SHA-1), 143
secure interior, 371 “385
branch/remote offices, 383 “384
building access module, 381
building distribution module, 379 “381
core module, 378
enterprise campus, 375 “377
lab module, 382 “383
management module, 381 “382
overview, 372
server module, 378 “379
system segments with VLANs, 375
trust models, 373 “375
VLANs, 372
secure perimeter
dual firewalls for DMZ, 351 “353
e-commerce access module, 366 “368
extranet access module, 364 “365
Internet module, 354 “360
multi-home firewall for DMZ, 349 “351
overview, 348
VLANs in DMZs, 353 “354
VPN remote access module, 360 “362
WAN access module, 363
wireless access module, 365 “366
Secure Socket Layer (SSL), 108 “110, 411 “412
security associations (SAs)
message integrity, 144
removing unnecessary, 125 “126
VPNs and, 140 “141
security cost justification
data gathering, 491
presenting results of risk analysis, 496
quantitative vs. qualitative risk analysis, 491 “495
risk analysis, 488 “489
threat identification, 489 “490
valuation of assets and information, 490 “491
valuation of protection, 495 “496
security incidents, 29. See also incident response
Security Monitor, Cisco
e-mail alerts, 99 “102
logs, 96 “97
reports , 97 “98
security policy
adhering to, 391 “393
designing, 23 “26
implementing and enforcing, 26
monitoring, 26
overview of, 20
preventing failure of, 37
prevention mechanisms in, 396 “397
protecting against all known threats, 393 “396
purpose of, 22 “23
reasons for failure of, 36
reviewing, 37, 391
role of, 20 “21
sections of, 26 “29
terminology, 22
types of, 30 “35
updating, 37
weaknesses to address, 35 “36
segmentation of network with VLANs, 372 “375
sensors, IDS/IPS. See network sensors
server module, enterprise campus, 378 “379
servers
authentication server, 249 “250, 266, 303
Cisco Secure ACS, 287 “288, 308 “310
determining location of server resources, 7
disabling DHCP server, 257
disabling small servers on IOS devices, 164
finger server, 166
IAS server, 283 “286, 304 “308
server-based Internet content filters, 207 “210
Service Assurance Agent (SAA), Cisco, 334 “335
Service Set Identifier (SSID), 245 “246, 252 “254
SHA-1 (Secure Hash Algorithm 1), 143
show interface command, 441
signature-based detection, 77
signatures, IDS/IPS
blocking traffic with, 103
customizing prebuilt, 92 “93
disabling, 91
filtering, 91 “92
maintaining, 90
writing custom, 93 “94
Simple Network Management Protocol. See SNMP (Simple Network Management Protocol)
Single Loss Expectancy (SLE), 493
site-to-site VPNs, 108, 362
SLE (Single Loss Expectancy), 493
Sniffer Distributed, Network Associates, 404
SNMP (Simple Network Management Protocol)
configuring for WAPs, 255 “256
managing network devices, 171
performance management, 333 “334
problems with, 60
securing versions of, 171 “173
steps in hardening, 61 “62
upgrading system image and, 457
SPAN (Switched Port Analyzer), 86 “87, 213
Spanning Tree Protocol. See STP (Spanning Tree Protocol)
SSH
3DES/SSH compared with Telnet, 103
preventing remote administration, 42 “44
securing remote administration, 44 “48
VPNs and, 110
vulnerabilities, 394
SSID (Service Set Identifier), 245 “246, 252 “254
SSL (Secure Socket Layer), 108 “110, 411 “412
staffing. See also training
contractors, 501
increasing headcount, 500
individual roles and responsibilities, 507 “508
knowledge management, 509 “510
organizational/ group roles and responsibilities, 508 “509
outsourcing, 501
overview, 500
recruitment, 502 “505
retention, 506 “507
standards
configuration management, 330 “331, 333
function of, 22
IP address, 330
network management, 313
security policy, 20
STP (Spanning Tree Protocol)
disabling on IOS devices, 199 “200
location of, 6
preventing spoofing attacks, 380
services for, 200 “201
support team members , CIRT, 519
SurfControl
filtering levels, 214
filtering rules, 214 “221
overview, 213 “214
reports, 221 “222
switch port, MAC addresses, 248
switched networks, IDS/IPS sensor placement, 86 “87
Switched Port Analyzer (SPAN), 86 “87, 213
switches. See also network devices (IOS)
802.1x networks, 303
authentication, 304 “310
blocking, 103 “104
Cisco Catalyst 2950 switch, 213 “214
configuring for RADIUS server, 305
DAI (Dynamic ARP inspection), 202 “203
policy, 33
port security, 201 “202
private VLANs and, 195 “196
storm control, 203
STP and, 199 “201
VACLs and, 196 “197
VLAN hopping , 194 “195
VTP and, 198 “199
SYN (synchronization) requests , TCP, 409
syslog. See also Kiwi Syslog
alerts for configuration management, 332
IOS devices and, 170
logs, 96
managing firewalls with, 62 “63
risks associated with, 63 “64
system configuration
automating change, 465 “472
manually changing, 464 “465
overview, 464
viewing, 442
system image
automating change, 457 “464
manually changing, 454 “456
methods for changing, 452 “453